jcoglan
commented
12 years ago This is by design. In the OAuth protocol, the client only sends the access token when requesting a resource. The access token represents the fact the the user has granted that particular client access to certain resource. Each client gets a different token for the same user.
It is up to the client to make sure the token isn't leaked to other parties, by storing it securely and only transmitting it over HTTPS (our provider can be configured to destroy tokens sent insecurely by the client). As such, any entity that stole a client's access tokens can probably also steal its client ID and secret, so sending them with the request doesn't give you any extra safety.
Does this answer your question? Please close the issue or ask further questions if I've not covered everything.
allenwei
I'm not sure whether it is a security issue. It do validate client id/secret in authentication, but there is not such validation in authorization. so every client which get this access token can access protected resource.